Prevention of masquerade by using identification sequences

ABSTRACT

A method transmits a message between a transmitter and a receiver on a bus using an identifier associated with the transmitter/receiver path for the purpose of authentication and a message counter. The identifier is dynamically selected from an identification sequence depending on the message counter value and is integrated into the message check sum but not transmitted via the bus. A control device and a vehicle are adapted to carry out the method for transmitting a message.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is based on and hereby claims priority to International Application No. PCT/EP2010/003698 filed on Jun. 18, 2010 and German Application No. 10 2009 033 241.3 filed on Jul. 14, 2009, the contents of which are hereby incorporated by reference.

BACKGROUND

The invention relates to methods for transmitting a message between a transmitter and a receiver on a bus. The invention also relates to a control device and a vehicle which are set up to carry out the method for transmitting a message.

In order to protect data communication, the IEC 61508 safety standard requires proof that undetected failures of the communication process are estimated taking into account supposed error scenarios.

In this case, the measures are at the application level and protect the data from the safety-oriented data source to the data sink (so-called end-to-end protection). When considering errors, it is also necessary to estimate, inter alia for the masquerade error scenario, the likelihood of there being an undetected error in the communication process.

The AUDI communication model provides a system based on FlexRay and CAN. A plurality of safety-relevant communication paths can be used in a parallel manner in the communication system. In addition to the active participants in safety-oriented communication, other safety-relevant and non-safety-relevant communication paths are also present. A data-receiving participant in safety-oriented communication may only use the data received from the transmitter relevant to the participant, otherwise there is an undetected masquerade error.

The expression “masquerade” means that the true contents of a message are not correctly identified. For example, a message from an unsafe participant is incorrectly identified as a message from a safe participant.

In the case of a masquerade, the receiver thus assesses a non-authentic message as authentic. In this case, an authentic message means that the message is valid and its information was generated by an authenticated transmitter. The masquerade is usually caused by incorrect routing of a correct message, in which case transmission control devices, the gateway or else the receiver control device can effect the incorrect routing for the safety function under consideration. Errors which result in a masquerade can be divided into the three categories: random hardware faults, systematic software errors and random bit errors on the bus.

Masquerade caused by random hardware faults can be assessed as a requirement imposed on data communication by IEC 61508-2. If any form of data communication is used when performing a safety function, the likelihood of undetected failure of the communication process must be estimated. In this case, transmission errors, repetitions, loss, insertions, incorrect sequence, corruption, delay and masquerade must be taken into account. This likelihood must be taken into account when estimating the likelihood of the dangerous failure of the safety function on account of random hardware failures.

Systematic software errors, for instance as a result of an incorrect configuration, should be precluded by the development process and software or integration tests, in particular in the safety-oriented software of the transmitter and receiver with the end-to-end protection. There is no need to calculate a likelihood of occurrence since these errors occur in a determinate manner and not stochastically.

Random bit errors on the bus may result in incorrect interpretation of the information in the useful data, for instance owing to corruption of the message identifier in CAN and the receiver-selective message evaluation. A transmission code (TC1) for detecting bit errors on the bus has already been provided, according to the protocol, in the bus systems considered for this document. Bit errors which corrupt the message packets fall into the corruption error pattern according to the classification in IEC 61508-2. Bit errors on the bus would be decisive for the masquerade error pattern only when they relate to the identifier, for example in CAN, and the transmission code of the protocol would not detect them with sufficient likelihood.

The following is considered to be a fundamental prerequisite for all safety-oriented systems in the vehicle: partial or complete failure or intermittent or permanent disruption in communication must not lead to a safety-relevant vehicle state.

Requirements are defined for reliably detecting transmission errors in communication. For this purpose, additional information (message counter, checksum) is added to the actual useful data of the transmitter. This information is evaluated in the receiver. In this case, protection is effected end-to-end, that is to say from the safety-oriented software in the transmitter control device to the safety-oriented software in the receiver control device. The data packets generated by the application (safety protocol data units: S-PDUs) thus include useful data and redundancy for error detection.

When using a CRC-8 checksum, there is a maximum number of 256 identifiers for the unambiguous detection of masquerade. The identifier 0 is reserved for those messages which do not require any protection against masquerade. 255 unique identifiers thus remain for allocation to messages which need to be protected against masquerade, equivalent to just as many transmitter/receiver paths.

In the case of qualified errors in the receiver, the useful data or signals are not transferred to the safety-oriented software of the safety function. The safety functions are designed in such a manner that the “safe state timeout” fallback level is assumed in the case of intermittent or permanent disruption. Errors in the signals or useful data which remain undetected during evaluation can sometimes lead to the dangerous incident since the safety-oriented software interprets the incorrect data as valid and builds the calculations or decisions thereon.

SUMMARY

One potential object is to make it possible to detect incorrectly routed messages within the vehicle network when using a CRC-8 checksum for a number of more than 255 transmitter/receiver paths. In this case, there should be no need for any additional bus bandwidth for a protection mechanism and conformity with the safety requirements imposed on data communication from the relevant safety standards should be ensured.

In order to make it possible for a receiver to detect non-authentic messages (for example incorrectly routed messages), the protection concept proposed by the inventors provides for the use of an identifier at the transmitter end, the identifier changing dynamically on the basis of a message counter (BSZ). Each transmitter thus uses an identifier sequence. These dynamics in the identifier at the transmitter end make it possible—with the same range of values for the identifier (downward compatibility with the identifier concept according to the related art)—to distinguish more transmitters. The identifier space is thus expanded without an additional bus load. Static single-byte identifiers were previously used for each transmitter.

In a method for transmitting a message between a transmitter and a receiver using a message counter and a system for authenticating transmitter/receiver paths, the system for authenticating transmitter/receiver paths has identifier sequences having a plurality of identifiers, and an identifier is selected from the identifier sequences on the basis of the message counter.

The previously static single-byte identifier is thus preferably dynamically selected from an identifier sequence on the basis of the message counter value.

The identifier is preferably used to calculate the checksum.

For each transmitter/receiver path, the associated identifier sequence should preferably be stored in the transmitter and in the receiver.

In a further preferred manner, a message counter containing a plurality of values in the form of bits is used, two arbitrary identifier sequences having a matching identifier for a maximum of one value of the message counter.

In addition, an identifier sequence preferably has different identifiers for all values of the message counter (at all preferred 16 positions).

In particular, an identifier is used for non-safety-relevant messages, and the identifier sequences do not contain the identifier in the form of the identifier value for non-safety-relevant messages for any value of the message counter. In a further preferred manner, the identifier for non-safety-relevant messages is the value 0 and an identifier sequence does not contain the value 0 for any value of the message counter (at any of the preferred 16 positions).

A control device and/or a vehicle is/are set up to carry out one of the methods described above.

In summary, the invention has the following advantages:

-   -   With an unchanged range of values for the application checksum,         the dynamic identifier makes it possible to protect several         thousand messages in the network interconnection.     -   There is no need to change the message layout.     -   Consequently, there is no increase in the bus load.     -   The protection concept meets the requirements with regard to         data communication in current safety standards and in the future         automotive standard ISO 26262.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other objects and advantages of the present invention will become more apparent and more readily appreciated from the following description of the preferred embodiments, taken in conjunction with the accompanying drawing of which:

The FIGURE illustrates the implementation of message protection using a dynamic identifier in the transmitter.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Reference will now be made in detail to the preferred embodiments of the present invention, examples of which are illustrated in the accompanying drawing.

In order to transmit messages on a bus, an application prepares useful data from consistent signals for cyclical transmission. A message counter (BSZ) and a CRC-8 checksum are added to the useful data in order to protect against transmission errors. The S-PDU generated in this manner is then transferred from the application to the standard software and is transferred to a communication controller (CC) for transmission.

In the existing method for protecting against masquerade, a static message identifier which is dependent on the transmitter/receiver path is included, after the useful data to be protected, both in the transmitter and in the receiver in order to calculate the CRC checksum. However, the message identifier is not transmitted via the bus and is thus not part of the protected message. The message identifiers for all messages to be received are known a priori to each receiver. The correct assignment of message identifier to message takes place across the network and is ensured by the original equipment manufacturer.

The receiver application cyclically checks whether there is a new message. Every received message is checked for plausibility and the data are forwarded to the application of the safety function only if they are valid. The plausibility check is carried out by checking the CRC checksum and checking the plausibility of the BSZ value. A BSZ value is considered to be valid when it has been increased by a BSZ_(data) value, which depends on the time difference, in comparison with the counter reading of the message last qualified as valid: the further back in time the last message reception qualified as valid, the greater the maximum difference from the currently received BSZ may be. The range of allowed BSZ_(data) values is referred to as the BSZ validity range. Messages with BSZ outside this BSZ validity range are labeled invalid. Message reception with the same BSZ value as the message last qualified as valid results in a detected repetition (BSZ_(data)=0) and the message is labeled invalid.

The CRC calculation method and the generator polynomial are the same for all messages in the network interconnection. The unique calculation rule is defined in the requirement specification of the original equipment manufacturer. In addition to the CRC checksum, there are messages with an XOR checksum from previous protection methods. The message identifier is permanently predefined for every safety-relevant message and does not change over time. A CRC checksum having x bits has a range of values of 2^(x) and consequently a maximum of 2^(x) different message identifiers can be uniquely mapped to the CRC checksum in a reversible manner. In this case, different identifiers always result in different values of the CRC. This property is guaranteed with the specific selection of the generator polynomial. If the message identifier of the transmitter is different from the message identifier of the receiver, but there are otherwise no bit errors, the error is completely detected.

This results in a maximum number of 256 identifiers for the unambiguous detection of masquerade by the selected CRC-8 checksum. The identifier 0 is reserved for those messages which do not require any protection against masquerade. 255 unique identifiers thus remain for allocation to messages which need to be protected against masquerade, equivalent to just as many transmitter/receiver paths.

With the first detected CRC error in a terminal 15 cycle, the received message is labeled invalid and the “safe state timeout” fallback level is assumed as a precautionary measure for immediate consequential errors. The system returns to the normal operating state only when a particular number of messages within n evaluation cycles have been qualified as valid.

The first message is used to initialize the BSZ validity range and is not valid.

With the second detected CRC error within a terminal 15 cycle, the “safe state checksum” fallback level is assumed and is maintained for the entire terminal 15 cycle.

Expansion to more than 255 transmitter/receiver paths (S-PDUs) protected against masquerade is necessary, and masquerade errors are intended to be reliably detected, with the result that dangerous incidents on account of masquerade do not exceed the limit value for safety integrity level 3 (SIL3) of the IEC-61508 standard.

Owing to the required compatibility with control devices which are already in production, the already existing safety code CRC-8, the message layout and the static message identifiers which have already been allocated are intended to be retained. The bandwidth available for signals is not intended to become narrower, that is to say expansion to a CRC-12 or a CRC-16 is not desirable. The new masquerade concept is intended to be an extension of the proof which has already been provided. Advantages of the new concept for protecting against masquerade are thus:

-   -   a considerably larger number of protected transmitter/receiver         paths,     -   a simple process when allocating the message identifiers,     -   the limit value for SIL3 is complied with,     -   extension of the proof which has already been provided,     -   retention of the generator polynomial for the CRC-8 checksum,     -   the same bandwidth for signals,     -   an unchanged message layout,     -   backward compatibility with the previous concept, and     -   applicability to asynchronous transmitters and/or receivers.

The FIGURE illustrates the implementation of message protection using a dynamic identifier in the transmitter.

Only an understanding of the message identifier to be allowed for, which is consistent with the transmitter, is essential for the CRC evaluation in the receiver. The new concept provides an identifier sequence and builds on the requirement imposed on the receiver application that at least two undetected erroneous messages are necessary for a dangerous incident.

The previously static identifier (remaining the same over time) is extended to an identifier sequence of 16 identifiers. The identifier to be used from the identifier sequence is selected on the basis of the BSZ value in the received message.

For each transmitter/receiver path in the network, one of N identifier sequences is allocated for the messages, uniquely labeled K_(idx)={1, 2, . . . , N}. In this case, each identifier sequence includes 16 identifiers, subsequently uniquely labeled k_(i,0), k_(i,1), . . . , k_(i,15) for K_(idx)=i.

The allocated identifier sequences comply with the properties of the following necessary conditions. In this case, conditions 1 to 5 relate to the generation of the identifiers but conditions 6 to 8 relate to the allocation process.

Condition 1: the previous static message identifiers correspond to the special cases of static identifier sequences with matching values at the 16 positions. Backward compatibility with the static identifiers is thus ensured. For K_(idx)=iε{0, 1, . . . , 255}, k_(i)=i=k_(i,0)= . . . =k_(i,0)= . . . =k_(i,15) for each static message identifier.

Condition 2: two arbitrary identifier sequences may have a matching identifier for a maximum of one BSZ value (at a maximum of one position).

For K_(idx)=i, jε{0, 1, . . . , N}, i≠j and m, nε{0, 1, . . . , 15}, where m≠n, the following applies:

-   -   If k_(i,m)=k_(j,m), it follows that k_(i,n)≠k_(j,n).

Condition 3: a dynamic identifier sequence must have different identifiers for all BSZ values (at all 16 positions).

For K_(idx)=iε{256, 257, . . . , N} and m, nε{0, 1, . . . , 15}, where m≠n, the following applies: k_(i,m)≠k_(i,n).

Condition 4: a dynamic identifier sequence must not contain the value 0 for any BSZ value (at any of the 16 positions).

For K_(idx)=iε{256, 257, . . . , N} and mε{0, 1, . . . , 15}, the following applies: k_(i,m)≠0.

Condition 5: the structure of the list of dynamic identifier sequences must not have a regularity which can be reproduced for expected random hardware faults. The structure of the identifier table is intended to be similar to allocation by a stochastic process.

No identifier must occur with significant accumulation. In addition, there must be no simple or directly discernible relationship between the identifiers within the identifier sequences, that is to say only one “intelligent error” may result in a valid identifier sequence.

This condition is ensured by the algorithm for determining the identifier sequences.

Condition 6: an identifier sequence can be allocated for a particular S-PDU length only when the identifier sequence results in 16 CRC checksums, which all differ (in pairs if desired), with useful data which remain the same but a continuous BSZ.

For K_(idx)=iε{0, 1, . . . , N}, message counter m, nε{0, 1, . . . , 15}, m≠n and rε{1, . . . , 40}, the following applies: CRC(m, db₂, . . . , db_(r), k_(i,m))≠CRC(n, db₂, . . . , db_(r), k_(i,n)).

In this case, CRC(·) denotes the function for calculating the CRC-8 checksum of the data bytes db₁=m to db_(r).

Condition 7: a dynamic identifier sequence can be allocated for a particular S-PDU length only when the identifier sequence results in 16 CRC checksums, which match the 16 XOR checksums at a maximum of one position (that is to say for one BSZ value), with any desired useful data which remain the same but with a continuous BSZ.

For K_(idx)=iε{256, 257, . . . , N}, m, nε{0, 1, . . . , 15}, m≠n and rε{1, . . . , 40}, the following applies:

-   -   If CRC(m, db₂, . . . , db_(r), k_(i,m))=XOR(m, db₂, . . . ,         db_(r), k_(XOR)), it follows that CRC(n, db₂, . . . , db_(r),         k_(i,n))≠XOR(n, db₂, . . . , db_(r), k_(XOR)).

In this case, CRC(·) denotes the function for calculating the CRC-8 checksum, XOR(·) denotes the function for calculating the XOR checksum and k_(XOR) denotes an arbitrary static identifier of the XOR checksum.

Condition 8: any identifier sequence may be allocated only once for a particular S-PDU length. An exception is the static identifier 0 which may be repeatedly allocated for non-safety-relevant messages.

The invention has been described in detail with particular reference to preferred embodiments thereof and examples, but it will be understood that variations and modifications can be effected within the spirit and scope of the invention covered by the claims which may include the phrase “at least one of A, B and C” as an alternative expression that means one or more of A, B and C may be used, contrary to the holding in Superguide v. DIRECTV, 69 USPQ2d 1865 (Fed. Cir. 2004). 

1-8. (canceled)
 9. A method for transmitting a message between a transmitter and a receiver, comprising: using a message counter to count messages and produce a message counter value; assigning to each transmitter/receiver path a corresponding identifier sequence unique to the transmitter/receiver path; for each message, dynamically selecting an identifier from the identifier sequence corresponding to the transmitter/receiver path, the selected identifier being chosen based on the message counter value; and using the selected identifier to calculate a checksum for authentication.
 10. The method according to claim 9, wherein a list of assigned identifier sequences is available to the transmitter and to the receiver.
 11. The method according to claim 9, wherein a list of assigned identifier sequences is stored in both the transmitter and the receiver.
 12. The method according to claim 9, wherein a plurality of bits is used to form the message counter value.
 13. The method according to claim 11, wherein two arbitrary identifier sequences have a matching identifier for a maximum of one message counter value.
 14. The method according to claim 11, wherein each identifier sequence uses different identifiers for all message counter values.
 15. The method according to claim 11, wherein a non-safety identifier is used for non-safety-relevant messages, the identifier sequences are used for safety-relevant messages, and the identifier sequences do not contain the non-safety identifier for any message counter value.
 16. The method according to claim 11, wherein a plurality of bits is used to form the message counter value.
 17. The method according to claim 16, wherein two arbitrary identifier sequences have a matching identifier for a maximum of one message counter value.
 18. The method according to claim 17, wherein each identifier sequence uses different identifiers for all message counter values.
 19. The method according to claim 18, wherein a non-safety identifier is used for non-safety-relevant messages, the identifier sequences are used for safety-relevant messages, and the identifier sequences do not contain the non-safety identifier for any message counter value.
 20. A control device comprising: a message counter to count messages and produce a message counter value; a memory to store an identifier sequence unique to a corresponding transmitter/receiver path; and a processor to: dynamically select, for each message, an identifier from the identifier sequence corresponding to the transmitter/receiver path, the selected identifier being chosen based on the message counter value; and use the selected identifier to calculate a checksum for authentication.
 21. A vehicle comprising: a plurality of transmitters; a plurality of receivers; a communication bus having a plurality of transmit/receive paths; a control device provided in at least some of the transmitters and receivers, the control device comprising: a message counter to count messages and produce a message counter value; a memory to store an identifier sequence unique to a corresponding transmitter/receiver path; and a processor to: dynamically select, for each message, an identifier from the identifier sequence corresponding to the transmitter/receiver path, the selected identifier being chosen based on the message counter value; and use the selected identifier to calculate a checksum for authentication. 